Cipher Control

You can allow or block any or all TLS and SSH ciphers in SonicOS. This functionality applies to:

• DPI-SSL (TLS traffic inspected by the firewall)
• https MGMT (TLS sessions accessing the firewall)
• SSL Control (inspect TLS traffic passing through the firewall: non DPI-SSL)

Any change to the TLS ciphers apply to all TLS traffic.

The list of ciphers displayed in the Network > Firewall > Cipher Control page are a list of known TLS ciphers. The list of ciphers is a super set of supported ciphers. While this list contains all known ciphers, DPI-SSL and HTTPS MGMT support a much smaller list of ciphers. For example, DPI-SSL and HTTPS MGMT do not yet support TLS 1.3 ciphers or support some weak ciphers that are listed in Network > Firewall > Cipher Control.

The ciphers are ordered based on the security strengths, with ciphers on top more secure than the ones below. Both DPI-SSL and HTTPS MGMT implementations use the relative ordering of their supported ciphers based on Network > Firewall > Cipher Control; that is, for the DPI-SSL supported ciphers, DPI-SSL orders them based on the ciphers listed in Network > Firewall > Cipher Control. The same is true for HTTPS MGMT ciphers.